I'm sure most practitioners will have become aware of the new IronKey flash drives, with on-board AES encryption and data destruction capabilities if being physically tampered with. Not available in UK yet but out in the US.
I guess it is a small step forwards from the U3 drives which have been around for a while now, in such that a computer doesn't know its inserted until a password has been verified and applications (such as browsers) can be carried around thereon to mask (or minimise) the footprint left on the PC it is inserted into.
All great for bona fide data security but, as with everything, can be used for nefarious means.
Have any of you undertaken a successful analysis of either an IronKey, a U3 flash drive, other similar or a PC which has had either inserted? What's the secret, where do we start looking, etc.
I work for a small UK lab where we are all charged with taking a new technology/trend every six months and researching it for the good of the whole lab. I'm figuring I may take up this challenge next and procure a few drives to meddle with. ?
All comments welcome.
Altho i don't have a technological solution to your question you did mention "all comments welcome" )
Attack the weakest link.
Problem components
1 container <— the storage device
2 key <— opens the device
3 keyholder <— charged with keeping the key out of others hands
The weakest link changes over time. Nowadays it's usually 3 regardless of whether 1 is a car , a padlock, a safe, a vault or an encrypted drive.
Either covertly monitor the user and find the keys, or sneak in while he's still in there himself, or make the alternatives to not giving up the keys a lot worse than keeping them secret.
Kern
I was asked to do a similar task for my Department.
I just got my hands on one of these and so far I have not been able to make an image of the device using FTK or Encase. Getting ready to try dd to see if that has any luck, but I realy doubt it.
Also building a PC (Windows XP fully patched) to see what if any remnants are left behind.
I am also interested in finding out what the customized Firefax and Tor client look like from the network side. I have a hub and wireshark ready to start watching as I begin my testing.
Are there any other ideas of things to look for, or at? Any other tools that might be recomended?
My goal is not to crack the device as much as it is to determine that it was used.
I am open to suggestions for tools to use or things to look at.
Thanks in advanced…
Update to my project…
I was able to find records in the registry that indicated that an Ironkey had been connected to the system. HKLM\system\mountedDevices has a list of all devices that have been mounted on the system. The IronKey device is listed among them.
Also a keyword search for IronKey did yield a number of hits in the pagefile along with a search for "Vidalia" which is part of the TOR client that is used to bypass content filters.
So I know I can find out if someone used an Ironkey on a machine and loaded the Firefox browser. Not much more that that so far.